# apt-get update
# apt-get install openssl
# apt-get install ssl-cert
# emacs /etc/ssl/openssl.cnf -------- * [ CA_default ] default_days = 400 # how long to certify for * [usr_cert] nsCertType=server のコメントアウトを外す * [v3_ca] nsCertType=sslCA, emailCA のコメントアウトを外す * [ req_distinguished_name ] countryName_default = JA stateOrProvinceName_default = Hokkaido organizationName_default = Department of Science organizationalUnitName_default = Earth and Planetaly science
注) 正しく証明書が得られている場合は以下の作業を行う必要はない.
# cd /usr/lib/ssl/misc # ./CA.sh -newca ---------------------------------------------------- CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ...............+++ ..............................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: (何も入力しなくて良い) Verifying - Enter PEM pass phrase: (同上) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JA stateOrProvinceName_default = Hokkaido]:JA State or Province Name (full name) [Hokkaido]:Hokkaido Locality Name (eg, city) []:Sapporo Organization Name (eg, company) [Department of Science]:Department of Science Organizational Unit Name (eg, section) []:Earth and Planetary Science Common Name (e.g. server FQDN or YOUR name) []:www.ep.sci.hokudai.ac.jp Email Address []:epwww.ep.sci.hokudai.ac.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 16574434081669068930 (0xe60437fb6f033882) Validity Not Before: Jul 14 09:09:56 2013 GMT Not After : Jul 13 09:09:56 2016 GMT Subject: countryName = JA stateOrProvinceName = Hokkaido organizationName = Department of Science organizationalUnitName = Earth and Planetary Science commonName = www.ep.sci.hokudai.ac.jp emailAddress = epwww.ep.sci.hokudai.ac.jp X509v3 extensions: X509v3 Subject Key Identifier: 66:B7:8D:68:5F:B8:CC:EE:61:78:31:14:FE:6D:70:18:EA:F4:51:6A X509v3 Authority Key Identifier: keyid:66:B7:8D:68:5F:B8:CC:EE:61:78:31:14:FE:6D:70:18:EA:F4:51:6A X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA Certificate is to be certified until Jul 13 09:09:56 2016 GMT (1095 days) Write out database with 1 new entries Data Base Updatedもし,間違えてしまったら以下を実行.(たぶん大丈夫)
# rm /usr/lib/ssl/misc/demoCA/private/cakey.pem # rm /usr/lib/ssl/misc/demoCA/newcerts/*.pem
このままだと apache の起動時に毎回パスフレーズの入力を求められるので 作成した鍵からパスフレーズを消去する
# openssl rsa -in ./demoCA/private/cakey.pem -out ./demoCA/private/cakey.pem # /usr/sbin/make-ssl-cert (の実行) Usage: /usr/sbin/make-ssl-cert template output [--force-overwrite] Usage: /usr/sbin/make-ssl-cert generate-default-snakeoil [--force-overwrite]
# openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
# mkdir /etc/apache2/ssl # cp ./demoCA/cacert.crt /etc/apache2/ssl # mkdir /etc/apache2/ssl/private # cp ./demoCA/private/cakey.pem /etc/apache2/ssl/private/ # cd /etc/apache2/sites-available/ # cp /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz . # gzip -d httpd-ssl.conf.gz # mv httpd-ssl.conf ssl .
# cd /etc/apache2/sites-available # emacs default-ssl SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.pem #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# emacs ssl /etc/apache2/ssl/cacert.crt を登録 SSLCertificateFile "/etc/apache2/ssl/cacert.crt"
SSLCertificateKeyFile /etc/apache2/ssl/private/cakey.pem
DocumentRoot "/var/www/" ServerName sango.ep.sci.hokudai.ac.jp:443 ServerAdmin epwww@ep.sci.hokudai.ac.jp
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem ホスト名をきかれるので sango.ep.sci.hokudai.ac.jp と記入 # emacs /etc/apache2/sites-available/ssl #SSLCertificateFile "/etc/apache2/ssl/cacert.crt" SSLCertificateFile "/etc/apache2/ssl/apache.pem" #SSLCertificateKeyFile "/etc/apache2/ssl/private/cakey.pem SSLCertificateKeyFile "/etc/apache2/ssl/apache.pem"
# apache2ctl -t Syntax OK
# a2ensite default-ssl # a2enmod ssl
# /etc/init.d/apache2 restartもし,apache2 をrestart したとき,以下のようなエラーが出た時の対処.
[Fri Sep 21 14:00:22 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence ..... ++++++ =====>>>> /etc/apache2/sites-available/ssl を修正 Listen 443 をコメントアウト ※Listen 443 というのを config の中(.conf ファイル)で複数書くと, 下記のメッセージが出るので, ssl(httpd-ssl.conf) のListen 443 をコメントアウト 参考URL: http://blog.paz-para.com/?p=584
https://sango.ep.sci.hokudai.ac.jp/とブラウザ上で打ち込み(もしくは上記のURL をクリックして),通信すると,「このサイトは自己署名です」と言われる.
最終更新日: 2017/03/26 (須藤 康平) | Copyright © 2017 epcore |